For tagged VLAN Management IP address add VLAN 99 interface and assign IP address to it. Since the master-port receives all the traffic coming from switch-cpu port, VLAN interface has to be configured on the master-port, in this case "ether2" port. Now from switch-chip point there also has to be VLAN 99 tagging on switch1-cpu port.

VLAN

Note: It is recommended to get Serial Console cable and test it before configuring VLANs because you
may lose access to the CPU and/or the port you are connected to.

Note: Some changes may take some time to take effect due to already learned MAC addreses. In such cases flushing Unicast Forwarding Database can help: /interface ethernet switch unicast-fdb flush

Note: Multiple master-port configuration is designed as fast and simple port isolation solution, but it limits part of VLAN functionality supported by CRS switch-chip.
For advanced configurations use one master-port within CRS switch chip for all ports, configure VLANs and isolate port groups with port isolation profile configuration.

Port Based VLAN

Example 1

Port Based VLAN 1

Choose a master port and enslave the ports you need to be in the same switch group.

InterVLAN Routing

InterVLAN Routing

InterVLAN routing configuration consists of two main parts – VLAN tagging in switch-chip and routing in RouterOS. This configuration can be used in many applications by combining it with DHCP server, Hotspot, PPP and other features for each VLAN. Additionally this example covers blocking of unwanted other VLAN traffic on ports.

For routing add VLAN interfaces on master-port because it connects with CPU port and add IP addresses to created VLAN interfaces. In this example three 192.168.x.1 addresses are added to vlan200, vlan300 and vlan400 interfaces.

CRS-2: The second switch in the service provider network require only switched ports using master-port and bridge-type configured to do forwarding according to service (outer) VLAN id instead of customer (inner) VLAN id.

Mirroring

Mirroring

The Cloud Router Switches support three types of mirroring. Port based mirroring can be applied to any of switch-chip ports, VLAN based mirroring works for all specified VLANs regardless switch-chip ports and MAC based mirroring copies traffic sent or received from specific device reachable from the port configured in Unicast Forwarding Database.

Port Based Mirroring

The first configuration sets ether5 port as a mirror0 analyzer port for both ingress and egress mirroring, mirrored traffic will be sent to this port. Port based ingress and egress mirroring is enabled from ether7 port.

VLAN Based Mirroring

The second example requires ports to be switched in a group. Mirroring configuration sets ether5 port as a mirror0 analyzer port and sets mirror0 port to be used when mirroring from VLAN occurs. VLAN table entry enables mirroring only for VLAN 300 traffic between ether2 and ether7 ports.

MAC Based Mirroring

The third configuration also requires ports to be switched in a group. Mirroring configuration sets ether5 port as a mirror0 analyzer port and sets mirror0 port to be used when mirroring from Unicast Forwarding database occurs. The entry from Unicast Forwarding database enables mirroring for packets with source or destination MAC address E7:16:34:A1:CD:18 from ether8 port.

Trunking

Trunking

The Trunking in the Cloud Router Switches provides static link aggregation groups with hardware automatic failover and load balancing. IEEE802.3ad and IEEE802.1ax compatible Link Aggregation Control Protocol is not supported yet. Up to 8 Trunk groups are supported with up to 8 Trunk member ports per Trunk group.

Configuration requires a group of switched ports and an entry in the Trunk table.

Protocol Level Isolation

Protocol Level Isolation

Protocol level isolation on CRS switches can be used to enchance network security. For example, restricting DHCP traffic between the users and allowing it only to trusted DHCP server port can prevent security risks like DHCP spoofing attack.
The following example shows how to configure it on CRS.

Choose a master port and enslave the ports you need to be within the same switch group.

And configure port isolation/leakage profile for selected Community (2) to allow DHCP traffic destined only to port where the trusted DHCP server is located. registration-status and traffic-type properties have to be set empty in order to apply restriction only for DHCP protocol.